Unpatched Vulnerability in Oracle Field Service Portal allows Low-Privileged Attacks
CVE-2024-21271

8.1HIGH

Key Information:

Vendor: Oracle
Status: Oracle Field Service
Vendor: CVE Published:; 15 October 2024

Summary

A vulnerability exists in the Oracle Field Service component of Oracle E-Business Suite, primarily impacting versions 12.2.3 to 12.2.13. This vulnerability enables low-privileged attackers with network access via HTTP to exploit weaknesses in the system. When successfully executed, this vulnerability can lead to unauthorized creation, deletion, or modification of sensitive data. Attackers may gain unauthorized access to critical data and the ability to manipulate all accessible information within Oracle Field Service. Organizations utilizing the affected versions are urged to implement appropriate security patches to mitigate these risks and safeguard their data integrity.

Affected Version(s)

Oracle Field Service 12.2.3 <= 12.2.13

References

https://www.oracle.com/security-alerts/cpuoct2024.html

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 15, 2024
Vulnerability Reserved
Dec 7, 2023

Collectors

NVD DatabaseMitre Database